Time
4 hours 8 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Description

In the second and concluding video in Module 6, Dean presents several more NIST documents and highlights key areas of each. The first is a more recent doc that's still in draft mode: NIST SP 800-154. This guide is more focused on systems rather than threats and deals with attacks and the vectors they target and the methodology, controls, and countermeasures to defend against them. NIST SP 800-150 is another recent and shorter doc that deals with info sharing. It discusses the value of a threat analyst and how they interact with management. It also covers identifying stakeholders, producers, and consumers and the scope of info sharing among them. Dean also discusses change management and security posture and draws the analogy with castle defenses such as a most and draw bridge. Change management is concerned with identifying and inventorying assets and though tedious, is an essential, foundational step. The video concludes with a discussion about incident response documents and how assets feed into them. Compliance audits are also mentioned and their importance is the protection of assets.

Video Transcription

00:04
They also have another publication for data centric
00:07
system threat modeling.
00:14
This is a draft document, so it has a look, some other features that maybe a little bit distracting. But the nice thing is that it's very recent.
00:24
It just came out less than a year ago,
00:27
and it's a little bit more focused on
00:30
systems and instead of
00:32
threats overall.
00:34
So we see some
00:36
well
00:37
explanation of what attacks are.
00:40
How they vectors mean in that sense,
00:44
how you defend against these kinds of attacks. What kind of security controls air countermeasures
00:48
do you put into place?
00:50
And then it goes through a methodology, which is somewhat similar to what we saw in the other document.
00:58
You're identifying your system. You're gonna find the attack vectors,
01:03
seeing if your controls air countermeasures that replace are likely to be effective.
01:08
And then you might look at your threat modeling that you did in
01:11
using the previous document
01:14
to do some of this work.
01:15
So it goes through and give some some breakdown on the different
01:21
steps that you might take
01:23
to do this kind of work.
01:25
And because it's still a draft document, there is a lot of mark up information that's still here, but it's pretty useful overall
01:30
and definitely worth looking into.
01:33
So this is 100-1 54
01:40
and then another document, which could be useful,
01:42
is information sharing. Cyber threat information sharing
01:47
SP 800-1 50.
01:57
This one's also they're recent
02:00
only us only a few months old, really
02:01
back in October,
02:05
and we talked a little bit about information sharing in a previous discussion.
02:09
But it's good to also bring this document up here because we're still talking about the value of a
02:15
threat analyst
02:16
and how they interact with management so that management committee risk based decisions
02:23
so breaks down
02:23
the different types of threat information,
02:28
the benefits of sharing it, of course.
02:30
And then, as we mentioned the previous section trying to identify the appropriate stakeholders who is producing the intel who is
02:38
consuming
02:40
what kind of scope should be defined?
02:44
And as we saw with creating an organization that can
02:47
information sharing
02:50
organization, we can
02:52
enlist the help of other organizations to share information together
02:55
and give each of those organizations a little bit of extra advantage because you've got access to a larger amount of information
03:06
so that's a good document to look into a CZ. Well, these are all fairly short. So
03:10
they make a
03:14
not not not for a very long reading exercise, but definitely worth looking into.
03:21
So international. Ready for
03:23
risk management threat Modeling with Internet 1 54 and then information share 1 50
03:30
Definite look into those.
03:35
All right, so let's think about
03:37
change Mandarin and Security posture.
03:39
Security posture. A good analogy for this is something like a castle, right? This is a castle that's
03:46
got a moat around it.
03:46
Um,
03:47
maybe it has a drawbridge.
03:51
It might have other of different layers of defenses,
03:53
and that's very similar to an organization. We can think about the physical perimeter
04:00
as being the outermost
04:02
defensive layer.
04:04
But then there are other layers that are physical as well. You've got Gates, guns and guards,
04:12
you know, locked door security cameras and so on. But they're also
04:15
security controls that are logical or technical controls,
04:20
things like firewalls and proxies and
04:25
huh
04:26
encryption.
04:27
These are all extra layers of
04:30
of protection and organizations put into place in order to better
04:34
protect their assets.
04:36
One of the most important things to deal with when you're
04:40
when you're thinking about change management or configuration, management is having a valid,
04:45
accurate inventory
04:47
if you don't want. If you don't know what assets that you have, that it becomes very difficult to properly protect them.
04:54
And anyone who's been involved in doing inventory work probably knows it's not very much fun.
05:00
It can be very tedious.
05:01
But there are ways to make it a little bit easier by using
05:04
barcodes,
05:06
our code labels for asset tags and so on, using databases to or handheld bar code readers to make life a little easier.
05:15
But
05:15
making sure you know all their assets to begin with is a great foundational step
05:20
so that configuration management can be more effective.
05:25
It's also translates into
05:27
the documentation that the organization uses for instant response
05:32
because there could be special policies in place for certain types of assets.
05:38
You're going to protect a
05:40
critical server differently than you would protect a end user workstation, for instance,
05:46
maybe email servers are protected differently than database servers, and so
05:49
so your incident response
05:53
documentation should take those different asset types into consideration when developing your procedures based on the policies,
06:01
and then we have
06:02
the three levels of
06:06
investigation that an organization should engaging.
06:10
I'm not going basis.
06:12
We start off with compliance on its
06:15
compliance. Audits are just what
06:17
the
06:19
that the basic foundation is made off your determining do our assets conform to our policies
06:27
or even to regulations or laws?
06:30
This is a good thing to verify,
06:32
because it means that you've
06:35
that you've achieved some correctness in your configurations of your assets.
06:41
This means you're you've got a password policy in place you don't have any.
06:45
And the default settings under applications,
06:47
everything any, any extraneous user accounts have been removed and all these different things.
06:53
And
06:54
every organization is going to have a a large list of these types of requirements
06:59
that they
07:00
trying to achieve internally,
07:02
and especially if you are a health care orange organization, or if your financial organization
07:09
there are many external requirements which must be met for compliance on it
07:14
was your regulations and laws that
07:16
that
07:17
might have an annual requirement things like fisma, for instance,
07:21
after the compliance audit,
07:25
a control assessment might be considered.
07:28
Both of these things might happen based on two different triggers.
07:31
It could be that it's a time based trigger
07:34
like it's the annual time to do this. Every January we engage in a compliance on it. Every June we do a security control assessment,
07:46
and maybe every September we do a penetration test.
07:48
That could be the case for an organization.
07:51
Time based triggers are
07:54
our good minimum requirement to have,
07:58
but there's also in vet an event based trigger requirement as well.
08:03
If, for instance,
08:05
there are suspicions that you've got a bunch of assets that are not in compliance
08:09
or you've got a bunch of security controls that haven't been assessed and they don't appear to be functioning correctly,
08:15
then you may disregard
08:16
the time based trigger. You're not gonna wait six months to go look into this problem. You're going to do it now because there's an urgent need to verify. The settings in these
08:24
controls are in place,
08:28
so
08:30
the compliance on it provides a bit of a foundation for security control assessment
08:35
because these are both traceable back to
08:39
pile season that were created as part of the government's model of your organization
08:43
and the
08:46
Security Control Assessment provides a foundation for a penetration test
08:50
because of security control assessment can find vulnerabilities.
08:54
It can find weaknesses, things
08:56
that appear to be missing or incorrectly configured.
09:00
But it generally does not go
09:03
so far as to prove that damage could be done by exploiting these weaknesses. That's what the penetration test comes in.
09:11
So the penetration cash will be something that you would do after these other activities
09:16
in order to
09:16
to provide some assurance that he's either The controls are not as vulnerable as they were thought to be.
09:24
Order trying to prove that
09:26
that a breach of the perimeter of defenses or a breach of an application or operating system is actually possible
09:33
and therefore further work must be done in order to remediate that issue and
09:37
prevent it from happening again.

Up Next

Intro to Cyber Threat Intelligence

The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor